Pull request 1750: 5468-disallowed-dnstype
Updates #5468. Squashed commit of the following: commit ecb0c7cc53d43fe5aa75be0c5fc0f2a9179099ad Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Feb 27 13:57:40 2023 +0300 dnsforward: imp access test commit 3fdc2c4533d1fce8a01f6e636e326454ef96565b Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Feb 22 19:29:50 2023 +0300 dnsforward: allow dnstype rules in disallowed domains
This commit is contained in:
parent
304f2ba2cc
commit
386add033b
|
@ -23,6 +23,11 @@ See also the [v0.107.26 GitHub milestone][ms-v0.107.26].
|
||||||
NOTE: Add new changes BELOW THIS COMMENT.
|
NOTE: Add new changes BELOW THIS COMMENT.
|
||||||
-->
|
-->
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- The ability to use `dnstype` rules in the disallowed domains list ([#5468]).
|
||||||
|
This allows dropping requests based on their question types.
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
- Requirements to domain names in domain-specific upstream configurations have
|
- Requirements to domain names in domain-specific upstream configurations have
|
||||||
|
@ -31,6 +36,7 @@ NOTE: Add new changes BELOW THIS COMMENT.
|
||||||
|
|
||||||
[#4884]: https://github.com/AdguardTeam/AdGuardHome/issues/4884
|
[#4884]: https://github.com/AdguardTeam/AdGuardHome/issues/4884
|
||||||
[#5431]: https://github.com/AdguardTeam/AdGuardHome/issues/5431
|
[#5431]: https://github.com/AdguardTeam/AdGuardHome/issues/5431
|
||||||
|
[#5468]: https://github.com/AdguardTeam/AdGuardHome/issues/5468
|
||||||
|
|
||||||
[rfc3696]: https://datatracker.ietf.org/doc/html/rfc3696
|
[rfc3696]: https://datatracker.ietf.org/doc/html/rfc3696
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,7 @@ import (
|
||||||
"github.com/AdguardTeam/golibs/stringutil"
|
"github.com/AdguardTeam/golibs/stringutil"
|
||||||
"github.com/AdguardTeam/urlfilter"
|
"github.com/AdguardTeam/urlfilter"
|
||||||
"github.com/AdguardTeam/urlfilter/filterlist"
|
"github.com/AdguardTeam/urlfilter/filterlist"
|
||||||
|
"github.com/AdguardTeam/urlfilter/rules"
|
||||||
)
|
)
|
||||||
|
|
||||||
// unit is a convenient alias for struct{}
|
// unit is a convenient alias for struct{}
|
||||||
|
@ -127,8 +128,12 @@ func (a *accessManager) isBlockedClientID(id string) (ok bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// isBlockedHost returns true if host should be blocked.
|
// isBlockedHost returns true if host should be blocked.
|
||||||
func (a *accessManager) isBlockedHost(host string) (ok bool) {
|
func (a *accessManager) isBlockedHost(host string, qt rules.RRType) (ok bool) {
|
||||||
_, ok = a.blockedHostsEng.Match(strings.ToLower(host))
|
_, ok = a.blockedHostsEng.MatchRequest(&urlfilter.DNSRequest{
|
||||||
|
Hostname: host,
|
||||||
|
ClientIP: "0.0.0.0",
|
||||||
|
DNSType: qt,
|
||||||
|
})
|
||||||
|
|
||||||
return ok
|
return ok
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,8 @@ import (
|
||||||
"net/netip"
|
"net/netip"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/AdguardTeam/urlfilter/rules"
|
||||||
|
"github.com/miekg/dns"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
@ -28,54 +30,75 @@ func TestIsBlockedHost(t *testing.T) {
|
||||||
"host1",
|
"host1",
|
||||||
"*.host.com",
|
"*.host.com",
|
||||||
"||host3.com^",
|
"||host3.com^",
|
||||||
|
"||*^$dnstype=HTTPS",
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
|
want assert.BoolAssertionFunc
|
||||||
name string
|
name string
|
||||||
host string
|
host string
|
||||||
want bool
|
qt rules.RRType
|
||||||
}{{
|
}{{
|
||||||
|
want: assert.True,
|
||||||
name: "plain_match",
|
name: "plain_match",
|
||||||
host: "host1",
|
host: "host1",
|
||||||
want: true,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.False,
|
||||||
name: "plain_mismatch",
|
name: "plain_mismatch",
|
||||||
host: "host2",
|
host: "host2",
|
||||||
want: false,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.True,
|
||||||
name: "subdomain_match_short",
|
name: "subdomain_match_short",
|
||||||
host: "asdf.host.com",
|
host: "asdf.host.com",
|
||||||
want: true,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.True,
|
||||||
name: "subdomain_match_long",
|
name: "subdomain_match_long",
|
||||||
host: "qwer.asdf.host.com",
|
host: "qwer.asdf.host.com",
|
||||||
want: true,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.False,
|
||||||
name: "subdomain_mismatch_no_lead",
|
name: "subdomain_mismatch_no_lead",
|
||||||
host: "host.com",
|
host: "host.com",
|
||||||
want: false,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.False,
|
||||||
name: "subdomain_mismatch_bad_asterisk",
|
name: "subdomain_mismatch_bad_asterisk",
|
||||||
host: "asdf.zhost.com",
|
host: "asdf.zhost.com",
|
||||||
want: false,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.True,
|
||||||
name: "rule_match_simple",
|
name: "rule_match_simple",
|
||||||
host: "host3.com",
|
host: "host3.com",
|
||||||
want: true,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.True,
|
||||||
name: "rule_match_complex",
|
name: "rule_match_complex",
|
||||||
host: "asdf.host3.com",
|
host: "asdf.host3.com",
|
||||||
want: true,
|
qt: dns.TypeA,
|
||||||
}, {
|
}, {
|
||||||
|
want: assert.False,
|
||||||
name: "rule_mismatch",
|
name: "rule_mismatch",
|
||||||
host: ".host3.com",
|
host: ".host3.com",
|
||||||
want: false,
|
qt: dns.TypeA,
|
||||||
|
}, {
|
||||||
|
want: assert.True,
|
||||||
|
name: "by_qtype",
|
||||||
|
host: "site-with-https-record.example",
|
||||||
|
qt: dns.TypeHTTPS,
|
||||||
|
}, {
|
||||||
|
want: assert.False,
|
||||||
|
name: "by_qtype_other",
|
||||||
|
host: "site-with-https-record.example",
|
||||||
|
qt: dns.TypeA,
|
||||||
}}
|
}}
|
||||||
|
|
||||||
for _, tc := range testCases {
|
for _, tc := range testCases {
|
||||||
t.Run(tc.name, func(t *testing.T) {
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
assert.Equal(t, tc.want, a.isBlockedHost(tc.host))
|
tc.want(t, a.isBlockedHost(tc.host, tc.qt))
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -93,29 +116,29 @@ func TestIsBlockedIP(t *testing.T) {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
|
ip netip.Addr
|
||||||
name string
|
name string
|
||||||
wantRule string
|
wantRule string
|
||||||
ip netip.Addr
|
|
||||||
wantBlocked bool
|
wantBlocked bool
|
||||||
}{{
|
}{{
|
||||||
|
ip: netip.MustParseAddr("1.2.3.4"),
|
||||||
name: "match_ip",
|
name: "match_ip",
|
||||||
wantRule: "1.2.3.4",
|
wantRule: "1.2.3.4",
|
||||||
ip: netip.MustParseAddr("1.2.3.4"),
|
|
||||||
wantBlocked: true,
|
wantBlocked: true,
|
||||||
}, {
|
}, {
|
||||||
|
ip: netip.MustParseAddr("5.6.7.100"),
|
||||||
name: "match_cidr",
|
name: "match_cidr",
|
||||||
wantRule: "5.6.7.8/24",
|
wantRule: "5.6.7.8/24",
|
||||||
ip: netip.MustParseAddr("5.6.7.100"),
|
|
||||||
wantBlocked: true,
|
wantBlocked: true,
|
||||||
}, {
|
}, {
|
||||||
|
ip: netip.MustParseAddr("9.2.3.4"),
|
||||||
name: "no_match_ip",
|
name: "no_match_ip",
|
||||||
wantRule: "",
|
wantRule: "",
|
||||||
ip: netip.MustParseAddr("9.2.3.4"),
|
|
||||||
wantBlocked: false,
|
wantBlocked: false,
|
||||||
}, {
|
}, {
|
||||||
|
ip: netip.MustParseAddr("9.6.7.100"),
|
||||||
name: "no_match_cidr",
|
name: "no_match_cidr",
|
||||||
wantRule: "",
|
wantRule: "",
|
||||||
ip: netip.MustParseAddr("9.6.7.100"),
|
|
||||||
wantBlocked: false,
|
wantBlocked: false,
|
||||||
}}
|
}}
|
||||||
|
|
||||||
|
|
|
@ -31,9 +31,11 @@ func (s *Server) beforeRequestHandler(
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(pctx.Req.Question) == 1 {
|
if len(pctx.Req.Question) == 1 {
|
||||||
host := strings.TrimSuffix(pctx.Req.Question[0].Name, ".")
|
q := pctx.Req.Question[0]
|
||||||
if s.access.isBlockedHost(host) {
|
qt := q.Qtype
|
||||||
log.Debug("host %s is in access blocklist", host)
|
host := strings.TrimSuffix(q.Name, ".")
|
||||||
|
if s.access.isBlockedHost(host, qt) {
|
||||||
|
log.Debug("request %s %s is in access blocklist", dns.Type(qt), host)
|
||||||
|
|
||||||
return s.preBlockedResponse(pctx)
|
return s.preBlockedResponse(pctx)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue